Active directory integration can have some configuration options that may or may not work well with Struxureware. The following information are some examples of how DCE and active directory may better work together.

Resolution:

InfraStruxure Central officially supports two software suites for remote authentication: Active Directory and OpenLDAP. While other LDAP based remote authentication suites may work, APC does not test or support them.

1. Search Base Too Large:

Symptom: Only some of the selected users can login, or binding during configuration takes too long and produces an error / blank selection screen. Related error messages may appear in the nbc.xml file.

We test with Active Directory Search Bases as large as 10,000 objects (including Users, Groups, etc…). If your search base exceeds this, you max experience the above symptoms. In general, we recommend creating smaller more tightly defined search bases. Multiple binding entries can be configured in ISX Central, each entry binding to a completely different but isolated search base. It is common to create one binding instance for your admin accounts, and another for your general users, as these two different types of user accounts are likely to exist in very different hierarchical locations within Active Directory.

2. Syntax:

Bind User DN, Bind Password, and Search Base must all be entered with proper syntax. These fields are case sensitive and must match how your Active Directory structure was created. The following are examples of the proper syntax and structure. Please note that the Bind User DN is the actual user (bind-user) that can search the database and the rest of that path is where he can be found. Bind password is that user's password. Search Base is where the users reside that you want to add :

Bind User DN: cn=bind-user,cn=Users,dc=techlab,dc=apcc,dc=com

Search Base: dc=techlab,dc=apcc,dc=com

If using Active Directory on a Windows 2003 server or newer, you should be able to right click the OU that you want the syntax for, then select 'All Tasks', followed by 'Resultant Set of Policy.' This does not work with all version of Active Directory.

NOTE: Similar to issue #1 of having a search base too large, the sub-domain 'techlab' is a very small group of users. If we were to bind to the entire apcc.com domain, we would run into issues with a search base that is too large.

3. Pre-Windows 2000 Username:

Ensure that you are using the Pre-Windows 2000 Username (found in the Properties of the User Object within Active Directory), which may be slightly different syntax than the standard username you use to login to a windows system on a daily basis. ISX Central is also case sensitive in regards to your username, unlike Windows which typically ignores capitalization on a username. Also, if there is a space in a user name, you may want to try entering that name within quotes. For example, instead of John Smith, use "John Smith".

4. Group Type:

If adding User Groups from Active Directory instead of individual User Objects, please ensure that the Active Directory Group is NOT a Global Group. Global group members are unable to login to ISX Central. Changing the group type in Active Directory to Universal will resolve this. More Specifically, if the user and the group do not reside in the same search base, Central will not see the user.

5. Special Characters:

We've seen that Active Directory objects that begin with a # can cause issues with ISX Central being able to parse the AD Search Base. You'll see an error if this happens that states 'Invalid Attribute.' Typically binding to a Search Base one container higher than the one that contains the object beginning with '#' will resolve this issue. However, you cannot select any AD Objects within the container that also contains the '#' object.

6: Protected Users:

Windows 8.1 and Windows Server 2012 R2 have a group called "Protected Users". As of StruxureWare DCE 7.4.1, adding a user that is also a member of this group will cause authentication to fail. We are potentially looking into this for a future release but currently, a user added to DCE can not be a member of this group. More information about the Protected Users group can be found here:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)